New ZeuS Variant Strikes Again With A Valid Certificate

By   ISBuzz Team
Writer , Information Security Buzz | Apr 18, 2014 01:03 am PST

A few weeks ago, Comodo AV Labs discovered a new variant of the ZeuS Banking Trojan, officially named Trojware.Win32.Zbot.sig. The new variant, predominantly active in the U.S. and U.K., attempts to trick the user into executing by presenting itself as an Internet Explorer document with an icon similar to the Windows browser. This type of rootkit has been around for the last two years; however, this variant executes a particularly dangerous combination: rootkit + malware + valid digital signature, issued to “isonet ag”. This particular combination is not a common occurrence, but it does happen in rare cases.

Why is this variant alarming?

This variant uses a valid digital signature. A digital signature assures browsers and antivirus systems that a file is legitimate and not a threat. At this stage, most Antivirus products should detect the threat even with a valid signature. Antivirus products, as well as other security products which analyze executable files, have certain heuristics while classifying the files. One such heuristic is to know whether or not a file is digitally signed by a valid code signing certificate. Such digitally signed files are more trusted than unsigned files. Therefore, depending on the product in question, threats that could otherwise be detected may be missed or misclassified.

How does the rootkit get onto someone’s machine to begin with?

Zeus is distributed to a wide audience (e.g. anyone who stores data on their computer), primarily through infected web page components or through a phishing email.

There are three components to this attack:

1) The Downloader: Delivered to the user system by an exploit or an attachment in a phishing email. It will download the rootkit and malware component of the attack.

2) The Malware: In this variant, the malware is a data stealer. The program will steal valuable user data, login credentials, credit card info, etc. that the user keys into a web form.

3) A Rootkit: A rootkit hides the installed malware component, protecting it from detection and removal.

How can you stay protected?

With an increase in the trend of signed malware, your chosen AV provider is more important than ever. According to, most commercial antivirus programs are detecting this threat. However, in China, there are still some major antivirus vendors that are not detecting it. So, in order to stay protected, make sure to use a credible antivirus product and keep it up-to-date. And, do not open email attachments that look like documents or photos that have “.exe” extension  (e.g. “youandmeinthepub.png.exe”  or “yourreceipt.pdf.exe ). Technical details and screenshots can be seen on Comodo’s blog

By Egemen Tas, Vice President of Engineering for Comodo.

comodoComodo is a leading Certificate Authority and internet security provider. Comodo provides businesses and consumers worldwide with security services, including, PCI scanning, desktop security, and remote PC support. Securing online transactions for more than 200,000 businesses, and with more than 405 million desktop security software installations, including an award-winning and software, Comodo is Creating Trust Online®. To learn more, visit Comodo.